[skygazer]

This is likely a very naive question, but how did the spoofer know his IP was participating as an internal Tor node? From what vantage point can that be seen? I imagine internal Tor nodes must know to connect to each other, so it must propagate through Tor. Is the attacker also a Tor node? Is it trivial to map all Tor hosts?

[neckardt]

All public Tor relays are openly listed on Tor’s directory. You can query for relays yourself here - https://metrics.torproject.org/rs.html

[costco]

Tor has something called a consensus that lists all relays and their flags. Clients need this to know which relays to make a circuit with. For most clients, they select a relay labelled as a guard from this file which is where their traffic first enters Tor. Some countries realized they could just block all of these IP addresses and stop people using Tor, so there are unlisted guard nodes called bridges designed for censorship circumvention that you have to get by filling out a captcha or say sending an email.